Greers or Elgin Ltd - General Data Protection Regulation (GDPR)

The new General Data Protection Regulation

The new General Data Protection Regulation (GDPR) places additional obligations on businesses with regard to the safeguarding of personal data.

The GDPR requires all organisations that deal with individuals living in an EU member state to fully protect the personal information belonging to those individuals, and to have documented proof of such protection. The UK's decision to leave the EU will not affect the introduction of the legislation in the UK.

The new regulations require a consistent and transparent approach to data processing, and the financial penalties for failing to comply are severe - with fines of up to €20m or up to 4% of total annual worldwide turnover.

New requirements for businesses

While the principles of the new GDPR are broadly similar to the existing Data Protection Act (DPA), there are some key changes placing additional obligations on businesses.

The GDPR places a new emphasis on accountability and transparency when it comes to dealing with personal data. While businesses may already be compliant with many of the regulations as covered under the DPA, they are required to provide documentary evidence of their compliance with the GDPR.

Specifically, the new rules state that businesses must be accountable for their data usage, and must identify a lawful basis for processing personal data.

The GDPR specifies that personal data must be:

processed lawfully, fairly and in a transparent manner

collected for specified, explicit and legitimate purposes

adequate, relevant and limited to what is necessary

accurate and, where necessary, kept up-to-date; where personal data is inaccurate, it should be either erased or rectified without delay

kept in a form which permits identification of data subjects for no longer than is necessary

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The GDPR builds on the existing rights and principles for individuals under the DPA, as well as introducing some additional rights. Some of the key rights under the GDPR include:

Condition for consent - you must obtain consent from individuals to gather information for specific purposes, and be able to prove that you have done this

Right to access data - individuals may request details of information that is held about them, how, why and where it is accessed, what categories of data are being accessed and who has access to the information. The maximum amount of time allowed to deal with a subject access request has also been reduced from 40 to 30 days under the GDPR, and the right to charge a subject access fee has been removed (except in the case of unfounded, excessive or repetitive requests)

Right to erasure - meaning that individuals have the right to ask that data about them is deleted. This would include ensuring that all copies of information are deleted, including data stored in an online cloud system

Right to rectification and objection to profiling - individuals may request that inaccurate data is corrected, and may object to any profiling that could result in them being discriminated against.

Further information and guidance can be found on the Information Commissioner's Office website: www.ico.org.uk.

Documents

Below are a list of documents available for download should you require further information